EXPLORE DETECTIONS
CVE-2025-1146 - System Scoping using OsVersionInfo & Logon Data
The query below will look for Linux systems (Linux, K8, Containers) that need to be updated against CVE-2025-1146. The query is based on the event OsVersionInfo which is generated every 24-hours, at sensor start, or at sensor update. It attempts to merge in LogonType 2 and 10 to determine the last logged on user.
CVE-2025-53770 - SharePoint ToolShell
WebShell Discovery from w3wp.exe Falcon has native detection/prevention capabilities for this attack sequence. The following looks for: ``` w3wp.exe --> cmd.exe --> powershell.exe --> .aspx file write ```
CVE-2025-53770 - SharePoint ToolShell
WebShell Discovery from w3wp.exe Falcon has native detection/prevention capabilities for this attack sequence. The following looks for: ``` w3wp.exe --> cmd.exe --> powershell.exe --> .aspx file write ```
CVE-2025-59287 - WSUS Identification+Vulnerability Query
The query below outputs a list of your Windows servers with a Falcon sensor, tells you if they need to be patched for the CVE or not, when the data was last updated, and if WSUS was "detected". https://www.reddit.com/r/crowdstrike/comments/1ohdzpm/comment/nlnti7p/
CVE-2025-59287 - WSUS Identification+Vulnerability Query
The query below outputs a list of your Windows servers with a Falcon sensor, tells you if they need to be patched for the CVE or not, when the data was last updated, and if WSUS was "detected". https://www.reddit.com/r/crowdstrike/comments/1ohdzpm/comment/nlnti7p/
CVE-2025-59287 vulnerable WSUS servers identification
This query identifies WSUS servers that have the wsusservice enabled and that are vulnerable to CVE-2025-59287 This CQL query helps to identify WSUS servers that are vulnerable to CVE-2025-59287 Reference: https://www.reddit.com/r/crowdstrike/comments/1ohdzpm/comment/nlp7men/
CVE-2025-59287 vulnerable WSUS servers identification
This query identifies WSUS servers that have the wsusservice enabled and that are vulnerable to CVE-2025-59287 This CQL query helps to identify WSUS servers that are vulnerable to CVE-2025-59287 Reference: https://www.reddit.com/r/crowdstrike/comments/1ohdzpm/comment/nlp7men/
CVE-2026-32202 - Windows Shell
Exploitation of Windows Shell CVE-2026-32202 ref: https://thehackernews.com/2026/04/microsoft-confirms-active-exploitation.html
Decode SignInfoFlags
The query decodes SignInfoFlags from Windows process events to identify signature details and highlight unsigned or improperly signed executables. Reference: [GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/Decode%20SignInfoFlags.md)
Decode SignInfoFlags
The query decodes SignInfoFlags from Windows process events to identify signature details and highlight unsigned or improperly signed executables. Reference: [GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/Decode%20SignInfoFlags.md)
Decode VolumeDeviceCharacteristics Bitmask
The query decodes the VolumeDeviceCharacteristics bitfield to reveal device properties such as removable media, network drives, virtual volumes, or portable devices. Reference: [GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/Decode%20VolumeDeviceCharacteristics%20Bitmask.md)
Decode VolumeDeviceCharacteristics Bitmask
The query decodes the VolumeDeviceCharacteristics bitfield to reveal device properties such as removable media, network drives, virtual volumes, or portable devices. Reference: [GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/Decode%20VolumeDeviceCharacteristics%20Bitmask.md)
Deleted Local User Accounts
Table of all deleted local user accounts including UserName, ComputerName, aid, aip, and LocalIP.
Deleted Local User Accounts
Table of all deleted local user accounts including UserName, ComputerName, aid, aip, and LocalIP.
Detect and Decode Base64-Encoded PowerShell Commands
The query identifies Windows PowerShell executions using encoded commands, extracts and decodes Base64 payloads (including nested encodings), counts occurrences and unique hosts, and outputs decoded command content for analysis of potentially obfuscated activity. Reference: [GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/Decode%20Base64.md)
Detect and Decode Base64-Encoded PowerShell Commands
The query identifies Windows PowerShell executions using encoded commands, extracts and decodes Base64 payloads (including nested encodings), counts occurrences and unique hosts, and outputs decoded command content for analysis of potentially obfuscated activity. Reference: [GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/Decode%20Base64.md)
Detect and Decode Base64-Encoded PowerShell Commands - http
The query identifies Windows PowerShell executions using encoded commands, extracts and decodes Base64 payloads (including nested encodings), counts occurrences and unique hosts, and outputs decoded command content for analysis of potentially obfuscated activity. Reference: [GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/Decode%20Base64.md)
Detect and Decode Base64-Encoded PowerShell Commands - http
The query identifies Windows PowerShell executions using encoded commands, extracts and decodes Base64 payloads (including nested encodings), counts occurrences and unique hosts, and outputs decoded command content for analysis of potentially obfuscated activity. Reference: [GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/Decode%20Base64.md)
Detect Critical Environment Variable Changes over SSH with Connection Details
The query identifies critical changes to critical environment variables, extracts connection details such as user, local and remote IPs and ports, and provides a direct link to the related process in Falcon Process Explorer. Reference: [GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/Critical%20Environment%20Variable%20Changed%20SSH.md)
Detect Critical Environment Variable Changes over SSH with Connection Details
The query identifies critical changes to critical environment variables, extracts connection details such as user, local and remote IPs and ports, and provides a direct link to the related process in Falcon Process Explorer. Reference: [GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/Critical%20Environment%20Variable%20Changed%20SSH.md)
Detect Data Exfiltration via external storage devices
This query shows unusual activity involving external storage devices, such as large file copy operations, bulk transfers to physical external media. While USB devices are common for legitimate use, adversaries may exploit them to exfiltrate confidential data outside normal monitoring channels. Such activity is especially concerning in restricted environments, as it bypasses network-based detection controls and can indicate insider threat or physical compromise.
Detect Data Exfiltration via external storage devices
This query shows unusual activity involving external storage devices, such as large file copy operations, bulk transfers to physical external media. While USB devices are common for legitimate use, adversaries may exploit them to exfiltrate confidential data outside normal monitoring channels. Such activity is especially concerning in restricted environments, as it bypasses network-based detection controls and can indicate insider threat or physical compromise.
Detect locally disabled RTR
This query identifies hosts with locally disabled RTR.
Detect locally disabled RTR
This query identifies hosts with locally disabled RTR.